jwt Invalidating Json Web Tokens Remove the token from client storage


Remove the token from the client storage to avoid usage

Tokens are issued by the server and you can not force browsers to delete a cookie/localStorage or control how external clients are managing your tokens. Obviously if attackers have stolen the token before logout they still could use the token, therefore are needed additional measures in server side (see below for token blacklist strategy)


You cannot force browsers to delete a cookie. The client can configure the browser in such a way that the cookie persists, even if it's expired. But the server can set the value to empty and include expires field to invalidate the cookie value.

 Set-Cookie: token=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT

Delete 'token' with javascript

document.cookie = 'token=; Path=/; Expires=Thu, 01 Jan 1970 00:00:01 GMT;';